neshta | cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470

Analysis

max time kernel
50s
max time network
152s
platform
windows10_x64
resource
win10-20220223-en
submitted
03-03-2022 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe
Size

4.9MB
MD5

09f5e3fc4a15fbf25724fc2f95394166
SHA1

99d985c1562944169823da75a5b8246e83cf7232
SHA256

cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
SHA512

7cde89e56f79a3c626e0d1779783b8a47d76aee11c27987a1fa9cbcbf94e613c7f76d7f743e49668a0b369c62aed9f2f5552b7278cafa76b2562d62d0915b6bf

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3792-114-0x0000000000400000-0x00000000008F3000-memory.dmp	family_neshta
C:\Users\Admin\AppData\Local\Temp\GRAND THEFT AUTO 5.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\GRAND THEFT AUTO 5.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\KLNR.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\KLNR.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

KLNR.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" KLNR.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

GRAND THEFT AUTO 5.exeKLNR.exeKLNR.exe

pid process

3968 GRAND THEFT AUTO 5.exe
3988 KLNR.exe
2556 KLNR.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

KLNR.exe

pid process

2556 KLNR.exe

pid	process
3968	GRAND THEFT AUTO 5.exe
3988	KLNR.exe
2556	KLNR.exe

pid	process
2556	KLNR.exe

Drops file in Program Files directory 64 IoCs

Processes:

KLNR.exeGRAND THEFT AUTO 5.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	KLNR.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	GRAND THEFT AUTO 5.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	GRAND THEFT AUTO 5.exe

Drops file in Windows directory 2 IoCs

Processes:

KLNR.exeGRAND THEFT AUTO 5.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	KLNR.exe
File opened for modification	C:\Windows\svchost.com	GRAND THEFT AUTO 5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

KLNR.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	KLNR.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

KLNR.exeOpenWith.exe

pid process

2556 KLNR.exe
436 OpenWith.exe

pid	process
2556	KLNR.exe
436	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exeKLNR.exeKLNR.exe

description	pid	process	target process
PID 3792 wrote to memory of 3968	3792	cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe	GRAND THEFT AUTO 5.exe
PID 3792 wrote to memory of 3968	3792	cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe	GRAND THEFT AUTO 5.exe
PID 3792 wrote to memory of 3968	3792	cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe	GRAND THEFT AUTO 5.exe
PID 3792 wrote to memory of 3988	3792	cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe	KLNR.exe
PID 3792 wrote to memory of 3988	3792	cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe	KLNR.exe
PID 3792 wrote to memory of 3988	3792	cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe	KLNR.exe
PID 3988 wrote to memory of 2556	3988	KLNR.exe	KLNR.exe
PID 3988 wrote to memory of 2556	3988	KLNR.exe	KLNR.exe
PID 3988 wrote to memory of 2556	3988	KLNR.exe	KLNR.exe
PID 2556 wrote to memory of 3928	2556	KLNR.exe	fondue.exe
PID 2556 wrote to memory of 3928	2556	KLNR.exe	fondue.exe
PID 2556 wrote to memory of 3928	2556	KLNR.exe	fondue.exe

C:\Users\Admin\AppData\Local\Temp\cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe
"C:\Users\Admin\AppData\Local\Temp\cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\GRAND THEFT AUTO 5.exe
"C:\Users\Admin\AppData\Local\Temp\GRAND THEFT AUTO 5.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3968

C:\Users\Admin\AppData\Local\Temp\KLNR.exe
"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\3582-490\KLNR.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\KLNR.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:3928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:436

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
MD5
471811cb30f5b707e1cb8d898ab9dd85

SHA1
d27a6db0457555ad5187eab3438073eb1034418e

SHA256
f4609ed3168deec3c6150a064956ce61bea6e18c746e55ca0b032ba56fc1f75c

SHA512
118f658797e84b08dd5495406ebb1c0dec96833ddbfe189777640085ddc47c3a943c2effed4273f4fec679269d1849ff9cd54bb31a1abb632438225cfca9af29

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
MD5
8e42f3a4a399d84e67ed633ba23863cb

SHA1
02ebfa5274214dcc48acfd24b8da3fb5cb93f6c6

SHA256
42716ea8beca9e555cef3b78a2fbf836c9da034318d625262810290309d955db

SHA512
0f6af721a89c2cf7249ecb1cc0a263c6252f8762b7381b35ccff6347d7d069799d2f0561bec0a651d690fbf29c98050bf15b604d3cca668b7437503ba102492f

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
MD5
2d3cc5612a414f556f925a3c1cb6a1d6

SHA1
0fee45317280ed326e941cc2d0df848c4e74e894

SHA256
fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b

SHA512
cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
MD5
f1e707e6e6a6bd544e1f4c04dae68f0b

SHA1
7328d139b7378264796838c9b7ffedc233589cde

SHA256
98764ffe0366a01ae235033054556e52d6061633dfb6fba210940c89500809d2

SHA512
18a16bdb76f2749ed318873122b6e6374449d20cec4ae6a9fa1368a830a17064be266840dc89fe587ee0667b1d5b2942e32947a6e429109900816179ecdfe9cf

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
MD5
22913149a9d766c415c21e613e4e1d1b

SHA1
36b33b1ab48615ebe7bd25472d50ba3de56a21c6

SHA256
495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced

SHA512
d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
MD5
2a226fd810c5ce7b825ff7982bc22a0b

SHA1
58be5cb790336a8e751e91b1702a87fc0521a1d8

SHA256
af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132

SHA512
f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
MD5
32853955255a94fcd7587ca9cbfe2b60

SHA1
c33a88184c09e89598f0cabf68ce91c8d5791521

SHA256
64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

SHA512
8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
MD5
cc5020b193486a88f373bedca78e24c8

SHA1
61744a1675ce10ddd196129b49331d517d7da884

SHA256
e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

SHA512
bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
MD5
015caa1588f703bd73bc7cfe9386ffe4

SHA1
747bec0876a67c0242ff657d47d7c383254ea857

SHA256
e5c6463292e3013ef2eb211dad0dfa716671241affbd8bed5802a94f03950141

SHA512
1fb3b2fa422d635c71a8e7865714516b7de1c32e6286f8b975be71b17a9186fcac78852e9467b4751b4eab69cb6af30140772858a758596596d09d767d170aab

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
MD5
4cf3954a39b7e27f364cbb5e58a3a957

SHA1
4498a5dea907da2b85e30bf6a1ebddfbaba2eb18

SHA256
f24a6d80aff3ee9ee65a609376d1aa3fdb3a034847ebbc0e4e65ff20ab0893fb

SHA512
d7dd8c5ad15dda561ae309fbf18e5ad2e852e951e937ea062cc0cb035df74ecb5a9aa636c6813aef37271268cedb1b3c5d39a8b6519fd54f5346445a2a9ef57d

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
MD5
31685b921fcd439185495e2bdc8c5ebf

SHA1
5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

SHA256
4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

SHA512
04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
91490c78c45cbd686ac759b6a252e898

SHA1
51bb6c5aa14cf478b0b6fa0329c7366d1f6fb480

SHA256
47f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821

SHA512
f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\GRAND THEFT AUTO 5.exe
MD5
3380e4eaedfd94b86d22c2ccae2ae5f8

SHA1
e132713e0f4f2cf62eecf024947ed0fed0c3f8c4

SHA256
67579baeb087562f0ca15b89c9b06ddab1b030d29078b59b404f89dac9808fbd

SHA512
545380936138bc3d7c84f4e4d7e04e6d7cf3a546446106265efcfc9d100342a6b0495d74237fd16a46ac41493e39f73f79bb001a48697d2f2b0ba8b6af45a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\KLNR.exe
MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\KLNR.exe
MD5
8563f76405eb62c0e2a62f57992cb413

SHA1
5f7ff11c5f7be4c15fe6a256f4712e6f98dbd918

SHA256
a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838

SHA512
e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRAND THEFT AUTO 5.exe
MD5
52501176cb076f9426cc8f39d2b83d87

SHA1
b008648e4402f53654cf86b2a342f8b1394acdc1

SHA256
3c782d12aaa4de276b38ee1ec8003850b88cefb4dd7bdc607e5950a12627375b

SHA512
8ac6ae20532c7df2ab442370c8aba7d5b80d889ff3bdd3df55c6181d06c9394130eb02c6547f79e343fdfa952dbae780b1336cc19e778c8e50ec869b0851d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRAND THEFT AUTO 5.exe
MD5
52501176cb076f9426cc8f39d2b83d87

SHA1
b008648e4402f53654cf86b2a342f8b1394acdc1

SHA256
3c782d12aaa4de276b38ee1ec8003850b88cefb4dd7bdc607e5950a12627375b

SHA512
8ac6ae20532c7df2ab442370c8aba7d5b80d889ff3bdd3df55c6181d06c9394130eb02c6547f79e343fdfa952dbae780b1336cc19e778c8e50ec869b0851d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLNR.exe
MD5
581e2453eea2b19223861bd3f22abcfd

SHA1
d06ba4c40bd30a63853bb1406058c34ea4343a6d

SHA256
a62669cbeb70a97a2bddf0c37e48236c0601dd838b8105040bd80a614616b805

SHA512
1712914ff6c93ca73780d7f321fbb79f253b4bf9127f1535d849c8d16ba6d343522bfd2cd550e9e03f99963283a408762df99ac5e64d8c606fd690d13d152fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLNR.exe
MD5
581e2453eea2b19223861bd3f22abcfd

SHA1
d06ba4c40bd30a63853bb1406058c34ea4343a6d

SHA256
a62669cbeb70a97a2bddf0c37e48236c0601dd838b8105040bd80a614616b805

SHA512
1712914ff6c93ca73780d7f321fbb79f253b4bf9127f1535d849c8d16ba6d343522bfd2cd550e9e03f99963283a408762df99ac5e64d8c606fd690d13d152fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
21ef4235c0de84f856c580c15b2bb111

SHA1
cf0b9b59169ee85a50219ee0b8c6ef0fa24356bb

SHA256
353d5fcbb8c59a6f1cc5b9010e2728cb00aebfc38fb86329ffc2d6afc2679457

SHA512
016cc57f3d7389eec54ec55cfc3e27a0e231c27242310a8cf9fb3877b4caac79f4fa49cdddee0ad8f26a8ddf0f96555797f0f0cd5e9306971971af6f89d101ef

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/3792-114-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads